Canada: illegal use of data extraction tools by federal ministries

In Canada, the Standing Committee on Access to Information, Privacy and Ethics, a federal parliament body, heard a number of federal ministries in February 2024. The State investigation follows an article by Radio Canada on the use by these departments of smartphone and PC data extraction tools.

The ministries allegedly used the software without a prior privacy impact assessment (PIA), required by federal law. Several bodies admitted to the charges, including:

• Shared Services Canada;
• the Competition Bureau;
• the Transportation Safety Board of Canada;
• the Canada Border Services Agency.

The PIA “is a best practice that we should have implemented and that’s why we’re doing one now,” recognized Scott Jones, president of Shared Services Canada.

Other federal institutions were evasive, which led to a couple of tense moments with MPs. The spokesperson for National Defense, Sophie Martel, thus maintained her department had “a number of privacy impact assessments on the go right now.”

“Did you or did you not complete a PIA before first using this tool? You did or you didn’t? » insisted Conservative MP Michael Barrett. « I’m not sure, to be honest with you, » Martel finally answered. « We did not, » interjected her colleague Brig.-Gen. Dave Yarker, director general of cyber operations.

Other ministries claimed to have used PIAs before the committee, which they failed to mention when they were interviewed by Radio Canada. The Canadian Radio-television and Telecommunications Commission (CRTC) and Canada Revenue Agency (CRA) thus claimed to have carried out a PIA, respectively in 2014 and 2016. Finally, Natural Resources Canada confirmed acquiring these data extraction tools but never using them.